Autoit script and Symantec Endpoint Protection 12 are very VERY slow

Recommended Posts

akorx 0

akorx 0

I'm french so sorry for my bad english... i will try to explain one problem that i've got since 1 month. I've got a lot of autoit scripts that run on my LAN (compile scripts). I use the last version of autoit.

One month ago, my virus protection was "symantec endpoint portection 11" and now it's "symantec endpoint portection 12" (exactly : "12.1.1000.157 RU1"). Since this change there is something that is very strange : when i copy one of those scripts (it's the same thing with all my scripts) on a workstation with windows or dos, the copy takes 1 or 2 minutes (before it was immediate) but there no problem with others programs...

So what happens to my scripts ? the scan seems to be very but VERY VERY slow.

I've called the symantec enpoint support and given one my program : there is no virus... so they anwser me to do exceptions in the configuration of the proection but i don't want to do that (for a lot of reason : lot of programs and this is not a solution for me).

PS : I had scan my scrips with norton, symantec, and avast and there no problem...

Share this post

Link to post

Share on other sites

akorx 0

akorx 0

Press Ctrl+F7 in SciTE and on tab "AutoIt3/Aut2Exe" you will see if "Use UPX" is checked.

First, thank for your help...

Well, i've seen the "upx problem" that your are talking about (and that I didn't know) and then i've decided to had those lines to my first script :

#region

#AutoIt3Wrapper_UseUpx=n

#endregion

Now it's really better with all my scripts (the scans run now fast in one or two seconds when it took one or two minutes before) except for the first script that i've posted where it takes again one minute when i copy the exe to the disk (with "@copy myscript.exe c:temp*.* /y")...

Where is the problem ? which lines are not "correct" for the anti virus ?

NB : i've added another option that is #AutoIt3Wrapper_Compression=0 but it's the same thing... it's again slow with this script...

Share this post

Link to post

Share on other sites

kckennedy 0

kckennedy 0

We found that disabling the "Use Upx" option did not resolve this issue when using AutoIt version v3.3.8.1. However, disabling the "Use Upx" option did resolve the issue for us when we went back and tested with the v3.3.6.1 and v3.3.0.0 versions of AutoIt.

Share this post

Link to post

Share on other sites

Reg2Post 2

Reg2Post 2

I always had false positives and slow exe launch times with UPX compression enabled with SEP 12 and 12.1. Issues were resolved after disabling UPX compression on compiled exes. I think the issue is from the new Sonar Engine (introduced in version 12) not being able to find a reputable match on the files with UPX compression enabled.

Share this post

Link to post

Share on other sites

kckennedy 0

kckennedy 0

The new 12.1.1101.401 RU1 MP1 version is what we are testing now... The x64-bit install seems to perform fine with no issues on our Windows 7 64-bit machines. It's the x32 install on Windows XP we are having the issue even when compiling without UPX compression in Auto v3.3.8.1. If you go to Client Management settings and turn off their new "Insight lookups" function, the performance problems go away altogether (this is not recommended though - can lead to more false positives). Seems like Symantec could make this work similar between x32 and x64, but when we opened a ticket with them they also suggested doing exceptions. We are looking at that, but this is causing us problems with other executables besides compiled AutoIt scripts.

Share this post

Link to post

Share on other sites

kckennedy 0

kckennedy 0

You can also troubleshoot this by disabling the "Allow Insight lookups for threat detection (recommended)" option in the client under "Change Settings"; "Client Management"; "Configure Settings" button; Submissions tab.